Yesterday I wrote about the major breach of privacy of protected personal medical information involving the major health insurer, Anthem, by an as yet unknown hacker. As many as 80 million individual patients were put at risk. I expressed my opinion that such breaches are to be expected in our current healthcare world. Subsequently, in coverage of the matter by Modern Healthcare, it was noted that the largest previous breach resulting from hacking was a 2014 episode at Community Health Systems of Tennessee. That cyber-attack — involving a mere 4.5 million records — is thought to have originated in China.
Being a curious sort, I extracted all the HHS reports of breaches involving more than 100,000 records. It can be viewed here. There have been 40 instances of such breaches reported to the Office of Civil Rights in HHS, 10 of these greater than a million. A total of 33.6 individuals were exposed. In these breaches, the covered entity compromised was a Business Associate in 19, Healthcare Provider in 14, and a Health Plan in 7.
While physical theft of records in one form or another remains a common type of major breach, it is clear that the ability to penetrate network servers by theft, hacking or by unauthorized access provides the best high-yield approach for data-thieves. It is also clear that business associates of healthcare providers and plans are a weak link. Why am I not surprized?
Inspection of the names of the covered entities reveals a wide range of entities including: health plans, medical centers, state & federal government agencies, contractors & consultants, and drug stores.
It should be noted that the fact that a breach occurred did not necessarily mean that the data was misused— a thief may have just wanted the laptop! However, potential misuse is always a possibility. Recall that only breaches involving more than 500 individuals appears on this government list, and that the number of breaches of any size not reported or recognized is completely unknown.
Peter Hasselbacher, MD
Feb 17, 2015